Liberty
Liberty is a memory resident generic file infector on MS-DOS that infects .COM, .EXE, and overlay files. COMMAND.COM may also become infected. In advanced infections, the virus may also infect boot sectors. There are 10 variants: * Virus.DOS.Liberty.A * Virus.DOS.Liberty.B * Virus.DOS.Liberty.C * Virus.DOS.Liberty.D * Virus.DOS.Liberty.E * Virus.DOS.Liberty.F * Virus.DOS.Liberty.G * Virus.DOS.Liberty.H * Virus.DOS.Liberty.I * Virus.DOS.Liberty.J Name The Liberty virus gets its name from the text string "Liberty" which will appear in all infected files. In .EXE files, it will be located in the last 3K of the file. In .COM files, it will appear near the very beginning of the program, as well as within the last 3K of the infected file. Payload The first time a file infected with the Liberty virus is executed, the virus will become memory resident. Liberty installs itself resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory will decrease by 8,496 bytes. Interrupts 21 and 24 will be hooked by the virus in memory, as well as interrupt 62 which will map to free available memory. After becoming memory resident, programs which are executed may be infected by the virus. All .EXE files will be infected, but only .COM files over 2K in length will become infected. Overlay files will also become infected. Infected files will increase in size between 2,859 and 2,873 bytes, and will end with the hex character string: 80722D80FA81772880. The main body of the virus will be located at the end of all infected files. Infected files will have had their file date and time in the DOS disk directory updated to the current system date and time when infection occurred. Infected .COM files can also be identified by the following text string which will appear near the beginning of the infected program: "- M Y S T I C - COPYRIGHT © 1989-2000, by SsAsMsUsEsL" This string does not appear in infected .EXE files, the area where this string would have appeared in infected .EXE files will be 00h characters. Liberty is a self-encrypting virus. It is not yet known if it is destructive. Variants Liberty-B This strain is functionally similar to the original Liberty virus. The string which occurs at the end of all infected files has been changed to: C8004C40464842020EB. The word "MAGIC" will also be found repeated together many times in infected files. The file date and time in the DOS disk directory will also have been altered in Liberty-B infected files to the system date and time when infection occurred. Liberty-C This variant is very similar to Liberty-B. There are 16 bytes which have been changed. Like Liberty-B, the word "MAGIC" will be found repeated together many times in infected files. The string which occurs at the end of all infected files has been changed to: C8004C404648422020E9. File date and time change to system date and time when infection occurred is also experienced with this variant. Liberty-D Functionally equivalent to Liberty. This variant has the "MAGIC" text string repeated many times. Liberty-E Functionally equivalent to Liberty. This variant does not contain the "MAGIC" text string at all. Liberty-F Liberty-F is almost identical to Liberty-D. It has two bytes which differ in the viral code. Liberty-G Liberty-G is almost identical to Liberty-E. It has two bytes which differ within it's viral code. Liberty-H Liberty-H is almost identical to Liberty-D and Liberty-F. Differing by two bytes within the viral code. It also has 13 bytes which differ from Liberty-C, and seven bytes which differ from Liberty-B. Liberty-I Liberty-I is almost identical to Liberty-E and Liberty-G. It has two bytes within the viral code which differ. Liberty-J Liberty-J is almost identical to Liberty-H. There are three bytes within the viral code which differ. Category:DOS Category:Virus Category:DOS virus Category:Assembly Category:TSR Category:Encrypted virus